UK bulk spying challenge in European Court of Human Rights

Legal representatives of the UK government faced a raft of questions today from judges sitting in the European Court of Human Rights hearing a challenge to intelligence agencies’ bulk collection practices brought by a coalition of civil and human rights campaigners.

The American Civil Liberties Union, Amnesty International, Big Brother Watch, Liberty, Privacy International and nine other human rights and journalism groups based in Europe, Africa, Asia and the Americas joined three cases to challenge the legality of mass surveillance — a practice which only came to light after the 2013 NSA Whistleblower, Edward Snowden, leaked thousands of US intelligence agency documents to journalists.

The core challenge is whether the UK’s bulk communications interception program — and how UK state agents can receive data via similar US programs (Tempora, Prism and Upstream, respectively, as revealed by the Snowden disclosures) — interferes with fundamental rights under the European Convention of Human Rights.

The applicants in the case argue that because of the nature of their activities “it is very likely” that both the content of their private communications and metadata around it have been obtained by UK intelligence services — either via domestic interception powers or by way of programs operated by the US’ National Security Agency.

Similar challenges to state surveillance powers have been brought by some of these rights groups in the UK, and in 2015 the oversight court for the UK’s intelligence agencies ruled that secret data-sharing between the UK’s GCHQ and the NSA had breached European Human Rights law in the past; although the Investigatory Powers Tribunal also took the view that the practice, once disclosed and “signposted”, then became compliant with human rights law.

Rights groups disagreed and have now brought a legal challenge to UK mass surveillance in front of European judges sitting in Strasbourg.

In a statement today, Martha Spurrier, director of Liberty, said: “Our organisations exist to stand up for people and challenge abuse of power. We work with whistleblowers, victims, lawyers, journalists and campaigners around the world, so confidentiality and protection of our sources is vital. The UK government’s vast, cross-border mass surveillance regime – which lets it access millions of people’s communications every day – has made those protections meaningless.

“Losing our privacy is the gateway to losing everything that keeps us free – the right to protest, to a fair trial, to practise our religion, to think and speak freely. No country that deploys industrial-scale state surveillance has ever remained a rights-respecting democracy. We now look to the court to uphold our rights where our government has failed to do so.”

At today’s hearing the UK government’s case boiled down to arguing that existing oversight mechanisms and processes — including a Code of Practice for intercepted communications which the government only put out in January 2016 — effectively oversee bulk collection of Internet communications data, and provide adequate safeguards to protect fundamental human rights while also affording the intelligence agencies enough wriggle room to carry out their work in the interests of upholding national security.

Bulk collection of data is “critical for the discovery of threats and intelligence”, argued the government’s lawyer, reiterating the state’s repeated claim that it relies on bulk inception of Internet communications data as a “vital” intelligence gathering tool. “The intelligence services rely on the use of small pieces of intelligence information obtained through bulk interception in order to find new threats and those responsible for them,” he added.

Liberty et al’s legal representatives rejoined that the UK state’s bulk collection violates the European convention by being both untargeted and disproportionate, while also lacking adequate, independent safeguards. They also pointed out that technological advances have vastly expanded the state’s intrusion into individuals’ private lives — because “so much private and personal material is online, and because it can now be easily stored and searched in vast quantities”.

“The UK has a history of persistent and repeated breaches of Article 8 [right to privacy] in the field of state surveillance which its domestic courts have failed properly to restrain,” said one of the group’s lawyers today. “It is possible that this record reflects the UK’s relative good fortune — unlike some other Member States of the Council of Europe, the UK has not so far had to learn the bitter experience of the extent to which secret and unaccountable surveillance by the state can undermine democracy and freedom.”

On safeguards the lawyer went on to argue that the “multilayered” oversight process cited in defense of the state’s actions by its legal representative — such as having a UK government-appointed investigatory powers commissioner and the IPT oversight court (which can take evidence from intelligence agencies in closed hearings) — is not adequately independent of the agencies it is intended to oversee.

The current legal framework for state surveillance means the UK government is essentially saying ‘trust us’, the applicants’ lawyers argued, while letting individual intelligence agents make unscrutinized judgement calls while they operate inside the very agencies that are wielding hugely intrusive investigatory powers without robust, independent oversight to provide a meaningful check on state powers.

“The problem is obvious. One doesn’t have to suggest — and I don’t suggest — that officials of the intelligence services are acting in bad faith but the difficulty is that institutions have a culture, and have a natural predisposition to consider that things that they want to do and things that they can do are things that it is necessary and proportionate for them to do,” said the lawyer. “And that is why in order for there to be any real and effective protection for rights under Article 8 and Article 10 [freedom of expression] there must be some proper, rigorous, independent form of external control to hold these officials to account.

“Their case is trust us to keep you safe. Our case is have a legal framework to ensure that when carrying out their important functions these public authorities are doing no more than is truly proportionate and are only using these very intrusive powers when they’re necessary.”

“The threat is important,” she continued, touching on the national security point. “But the threat does not render the UK immune from the standards that apply under the convention. One of the important ways that our democracies resist the threats that they encounter is to reaffirm and to continue to protect our fundamental rights — including the right to privacy. And if we simply surrender all of that to the judgement of individual officials inside these secret agencies then we have already lost the important battle that we are fighting.”

The applicant’s lawyers also argued that data-sharing between intelligence agencies is being used as a means for UK intelligence agencies to effectively circumvent what legal safeguards do exist for domestic citizens by obtaining bulk intercept data from abroad — without the same restrictions.

“The US is by no means necessarily the only non-Council of Europe security service with which the UK intelligence services have a close working relationship, and from which they may obtain and use large quantities of intercepted communications and communications data,” noted a second lawyer for the group. “In relation to this third country intercept data even the RIPA limits on interception, inadequate as they are, do not apply. Because the interception is not conducted by a person who is in, or governed by, the law of the UK.”

If two people in the UK happen to use digital communications that are routed via servers in the US, for example, the lawyer queried why domestic legal protections do not apply — “and how it can be acceptable that no warrant, and no RIPA safeguards at all are required if the actual interception happens to have been conducted by a third country intelligence service”, even though the data is then “accessed and analyzed and stored by the UK intelligence services in precisely the same was as if it had conducted the interception itself”?

“The route by which that data travels is a matter of chance, and so now is the identity of the agency which happens to conduct the interception — so the fact that domestic law offers such different protections for the same uses, by the same security services, of the same data simply by virtual of the route by which it’s traveled or the identity of the agency which has intercepted it appears quite arbitrary,” she added. “It certainly calls for a rational explanation — and none has been provided.”

After verbal submissions by both parties the European Court judges directed a series of highly detailed questions to the UK government, including asking who controls permanent technical facilities for interception and who is in charge of turning such facilities on and off; whether data stored in cloud services outside the UK would be regarded as external communications for the purposes of legal oversight; whether warrants for bulk interception can be renewed without any limits; whether there are any rules governing the selectors that individual analysts can use to sift through bulk data and whether there’s any external body that can issue binding instructions/orders as regards the choice of selectors; whether there are any safeguards to limit the ability of a clause in domestic oversight law that enables analysts to retain intercepted material if they believe it is “likely to become necessary” in future; how many times the IPT has made suggestions for amendments to the domestic oversight framework to the UK parliament and whether parliament has made any such amendments as a result; and whether all UK communications services are under surveillance or only some.

Only a handful of questions were directed at the applicants bringing the challenge. And one of their lawyers subsequently seized on the UK government’s answer to the cloud services question as an example of what she dubbed the “lack of clarity and evasiveness” they argued characterizes the UK government’s position.

(On data held in cloud services the lawyer for the UK provided this knotty answer: “The documents held in the cloud are not of course communications. So the only circumstance in which it would be interesting and live to examine that is in relation to the actual uploading of documentation onto the cloud — and so far as that is concerned the same constraints on selection and examination would apply as they apply to all other communications. But it’s a bit as well perhaps to bear in mind that limit to which documents actually sitting in the cloud are, or are not as we suggest, communications.”)

She said: “As far as I understood him he said we think material that’s held on the cloud would not be a communication but that it might be or would be a communication when it was uploaded to the cloud. Now we find that a very strange answer in the light of the provisions of section 2, subsection 7 of RIPA… [which] says that for the purposes of this section the times while a communication is being transmitted by means of a telecommunications system shall be taken to include any time when the system, by means, of which the communication is being or has been transmitted, is used for storing it in a manner which enables the intended recipient to collect it or otherwise have access to it. And on that basis it is strange to see why my learned friend seeks to distinguish between uploading material to the cloud and material being stored on the cloud.

“Now we don’t know the answer to that question, because we don’t know how the agencies actually interpret these provisions. But that we say is an excellent example of the opacity and the difficulty of even understanding what powers the agencies claim to arrogate to themselves under this legislation.”

The full hearing lasted almost three hours before the panel of judges retired to begin deliberations. A spokeswoman for Liberty told us they do not have an expected date for a judgement, noting: “It’s really down to the court.”

The UK is currently in the process of leaving the 28 Member State European Union bloc, however it’s worth noting that the European Court of Human Rights is entirely separate to the EU — so the country will remain bound by judgements made by the court even after it departs the EU.

And while today’s hearing largely referenced the older RIPA legislation, there are clear implications for the UK’s newer surveillance framework — aka the Investigatory Powers Act — which cemented bulk collection in place as a core domestic intelligence technique at the end of last year, and components of which also subject to separate and ongoing legal challenges.